Vulnerabilities > Apache > Linkis
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-02 | CVE-2024-27182 | Files or Directories Accessible to External Parties vulnerability in Apache Linkis 1.3.2/1.4.0/1.5.0 In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue. | 4.9 |
| 2024-07-15 | CVE-2023-41916 | Files or Directories Accessible to External Parties vulnerability in Apache Linkis 1.4.0/1.5.0 In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. | 6.5 |
| 2024-07-15 | CVE-2023-46801 | Deserialization of Untrusted Data vulnerability in Apache Linkis 1.4.0/1.5.0 In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. | 8.8 |
| 2024-07-15 | CVE-2023-49566 | Deserialization of Untrusted Data vulnerability in Apache Linkis 1.4.0/1.5.0 In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. | 8.8 |
| 2023-04-10 | CVE-2023-27602 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Linkis In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` | 9.8 |
| 2023-04-10 | CVE-2023-27603 | Path Traversal vulnerability in Apache Linkis In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2. | 9.8 |
| 2023-04-10 | CVE-2023-29215 | Deserialization of Untrusted Data vulnerability in Apache Linkis In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. | 9.8 |
| 2023-04-10 | CVE-2023-29216 | Deserialization of Untrusted Data vulnerability in Apache Linkis In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2. | 9.8 |
| 2023-04-10 | CVE-2023-27987 | Inadequate Encryption Strength vulnerability in Apache Linkis In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. | 9.1 |
| 2023-01-31 | CVE-2022-44644 | Improper Input Validation vulnerability in Apache Linkis In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. | 6.5 |